ITU National Cybersecurity/CIIP Self - Assessment Toolkit:
advertisement
ITU National Cybersecurity/CIIP Self-Assessment Toolkit: Project Overview October 2007 Joe Richardson & Robert Shaw <cybmail@itu.int> ICT Applications and Cybersecurity Division Policies and Strategies Department, BDT International Telecommunication Union International Telecommunication Union ITU Development Sector Role ITU Resolution 130: Strengthening the role of ITU in building confidence and security in the use of information and communication technologies (Antalya, 2006); From World Telecommunication Development Conference (Doha, 2006): ¾ Cybersecurity is priority in Programme 3 activities ¾ ITU-D Study Group Question 22/1: Securing information and communication networks: Best practices for developing a culture of cybersecurity October 2007 2 ITU Cybersecurity Work Programme to Assist Developing Countries Most countries have not formulated or implemented strategies for cybersecurity and/or Critical Information Infrastructure Protection (CIIP) Work Programme scopes a set of high level assistance activities Also scopes detailed activities planned in the 2007-2009 period by the ITU Development Sector’s ICT Applications and Cybersecurity Division Used to develop detailed operational plan for 2008-2009 www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-cybersecurity-work-programme-developing-countries.pdf October 2007 3 Cybersecurity Work Programme to Assist Developing Countries: High Level Elements Assistance related to Establishment of National Strategies and Capabilities for Cybersecurity and Critical Information Infrastructure Protection (CIIP) Assistance related to Establishment of appropriate Cybercrime Legislation and Enforcement Mechanisms Assistance related to establishment of Watch, Warning and Incident Response (WWIR) Capabilities Assistance related to Countering Spam and Related Threats October 2007 Assistance in Bridging SecurityRelated Standardization Gap between Developing and Developed Countries Project on Enhancing Cybersecurity and Combatting Spam Establishment of an ITU Cybersecurity/CIIP Directory, Contact Database and Who’s Who Publication Cybersecurity Indicators Fostering Regional Cooperation Activities Information Sharing and Supporting the ITU Cybersecurity Gateway Outreach and Promotion of Related Activities 4 Case Study: Activities Related to National Best Practices October 2007 5 ITU-D Study Question 22/1 Q.22/1: Study Question adopted at World Telecommunication Development Conference (WTDC): Securing information and communication networks: best practices for developing a culture of cybersecurity Calls for Member States and Sector Members to create a report on best practices in the field of cybersecurity Four-year study cycle Pointer to Q.22/1 activities can be found at www.itu.int/ITU-D/cyb/cybersecurity/ October 2007 6 ITU-D Q.22/1: Purpose To survey, catalogue, describe and raise awareness of: ¾ The principal issues faced by national policy makers in building a culture of cybersecurity ¾ The principal sources of information and assistance related to building a culture of cybersecurity ¾ Successful best practices employed by national policy-makers to organize for cybersecurity ¾ The unique challenges faced by developing countries To examine best practices for watch, warning, and incident response and recovery capabilities October 2007 7 Q22.1 Draft Report (Sept 2007) 5 key elements to a good national cybersecurity programme: ¾ A national strategy ¾ A sound legal foundation to deter cybercrime ¾ A national incident management capability ¾ Collaboration between Government and Industry ¾ A national awareness of the importance of a culture of cybersecurity October 2007 8 ITU National Cybersecurity/CIIP Self–Assessment Toolkit Based on Q.22/1 Framework Best Practice Documents Focused on national management and policy level Intended to assist national administrations to: ¾ ¾ ¾ ¾ understand existing approach compare to best practices identify areas for attention prioritize national efforts October 2007 http://www.itu.int/ITU-D/cyb/cybersecurity/projects/readiness.html 9 ITU National Cybersecurity/CIIP Self–Assessment Toolkit cont’d Objective: assist nations to organize and manage national efforts to ¾Prevent ¾Prepare for ¾Protect against ¾Respond to, and ¾Recover from cybersecurity incidents October 2007 10 ITU National Cybersecurity/CIIP Self–Assessment Toolkit cont’d Looks at organizational issues for each element of the Framework ¾The ¾The ¾The ¾The ¾The people institutions relationships policies procedures October 2007 11 Considerations No nation starting at ZERO No single “right” answer or approach Continual review and revision necessary All “participants” must be involved ¾appropriate to their roles October 2007 12 Who are Participants? National “Participants” responsible for cybersecurity and/or CIIP: ¾“Governments, businesses, other organizations and individual users who develop, own, provide, manage, service and use information systems and networks” UNGA Resolution 57/239 Creation of a global culture of cybersecurity October 2007 13 ITU National Cybersecurity/CIIP Self–Assessment Toolkit cont’d Examines management and policy level for each element of Framework ¾ National Strategy ¾ Deterring Cybercrime ¾ National Incident Management Capabilities ¾ Government-Private Sector Collaboration ¾ Culture of Cybersecurity October 2007 14 National Pilot Tests Vietnam (2007) Argentina (2007) Ghana (2007) To express interest in participating in national pilot tests of the toolkit, please contact cybmail@itu.int See Background Information for National Pilot Tests at: ¾ www.itu.int/ITUD/cyb/cybersecurity/projects/readiness.html October 2007 15 More Information ITU-D ICT Applications and Cybersecurity Division ¾ www.itu.int/itu-d/cyb/ ITU National Cybersecurity/CIIP Self-Assessment Toolkit ¾ www.itu.int/ITUD/cyb/cybersecurity/projects/readiness.html Regional Workshop on Frameworks for Cybersecurity and Critical Information Infrastructure Protection ¾ www.itu.int/ITU-D/cyb/events/ Botnet Mitigation Toolkit ¾ http://www.itu.int/ITUD/cyb/cybersecurity/projects/botnet.html Cybersecurity Publications ¾ www.itu.int/ITU-D/cyb/publications/ October 2007 16 International Telecommunication Union Helping the World Communicate October 2007 17
